diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-08-06 02:17:30 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-08-06 02:17:30 +0000 |
| commit | 35db127c4920388f07b1c109a88e6845d80ec827 (patch) | |
| tree | a0f1670b1f0d4b49baf63986bc4968f33cfc6250 /0010-CVE-2023-38200.patch | |
| parent | 192f645be293b6bad64875fb1cfb872b027d99be (diff) | |
automatic import of keylimeopeneuler24.03_LTS
Diffstat (limited to '0010-CVE-2023-38200.patch')
| -rw-r--r-- | 0010-CVE-2023-38200.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/0010-CVE-2023-38200.patch b/0010-CVE-2023-38200.patch new file mode 100644 index 0000000..7c06151 --- /dev/null +++ b/0010-CVE-2023-38200.patch @@ -0,0 +1,69 @@ +From e17d5a6a47c1405a799a06754d3e905856e3035d Mon Sep 17 00:00:00 2001 +From: florian <264356+flozilla@users.noreply.github.com> +Date: Tue, 11 Jul 2023 21:31:27 +0200 +Subject: [PATCH 10/10] CVE-2023-38200 + +Extend Registrar SSL socket to be non-blocking + +Fixes: CVE-2023-38200 + +Upstream: + - https://github.com/keylime/keylime/commit/c68d8f0b7 + - https://github.com/keylime/keylime/commit/27d515f4b +--- + keylime/registrar_common.py | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +diff --git a/keylime/registrar_common.py b/keylime/registrar_common.py +index d1d20dd..6441e3b 100644 +--- a/keylime/registrar_common.py ++++ b/keylime/registrar_common.py +@@ -2,8 +2,10 @@ import base64 + import http.server + import ipaddress + import os ++import select + import signal + import socket ++import ssl + import sys + import threading + from http.server import BaseHTTPRequestHandler, HTTPServer +@@ -77,6 +79,25 @@ class BaseHandler(BaseHTTPRequestHandler, SessionManager): + + + class ProtectedHandler(BaseHandler): ++ def handle(self) -> None: ++ """Need to perform SSL handshake here, as ++ do_handshake_on_connect=False for non-blocking SSL socket""" ++ while True: ++ try: ++ self.request.do_handshake() ++ break ++ except ssl.SSLWantReadError: ++ select.select([self.request], [], []) ++ except ssl.SSLWantWriteError: ++ select.select([], [self.request], []) ++ except ssl.SSLError as e: ++ logger.error("SSL connection error: %s", e) ++ return ++ except Exception as e: ++ logger.error("General communication failure: %s", e) ++ return ++ BaseHTTPRequestHandler.handle(self) ++ + def do_HEAD(self) -> None: + """HEAD not supported""" + web_util.echo_json_response(self, 405, "HEAD not supported") +@@ -494,7 +515,7 @@ def start(host: str, tlsport: int, port: int) -> None: + protected_server = RegistrarServer((host, tlsport), ProtectedHandler) + context = web_util.init_mtls("registrar", logger=logger) + if context is not None: +- protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True) ++ protected_server.socket = context.wrap_socket(protected_server.socket, server_side=True, do_handshake_on_connect=False) + thread_protected_server = threading.Thread(target=protected_server.serve_forever) + + # Set up the unprotected registrar server +-- +2.41.0 + |